On 02/13/2016 04:16 PM, [email protected] wrote: > On 2016-02-12 06:57, Cain Ungothep wrote: >>> On 02/08/2016 01:36 AM, Georg Koppen wrote: >>> >>>> Mirimir: >>>> >>>>> When automatically updating, does Tor browser check GPG signatures of >>>>> downloaded updates before installing them? >>>> >>>> The update files are not using GPG signatures (see: >>>> https://wiki.mozilla.org/Software_Update:MAR for detailed information >>>> about the MAR file format). They are signed, though, and the updater >>>> refuses to install the update if the signature is non-existing or >>>> wrong. >>>> >>>> Georg >>> >>> Thank you. >>> >>> For those who wish to update manually, is it sufficient to toggle >>> app.update.auto in about:config to false? >> >> Seems so. You will still be prompted to update through the MAR system, >> but it won't happen automatically. > > Today I discovered that TBB 5.5.2 automatically downloaded. That hasn't > happened before. Normally I am prompted and manually download the tar > bundle with the signature file which I check with gpg --verify. > > I'm confused as to why this time I received an automatic download. Any > thoughts?
That's what triggered my question. It seems that automatic updating is now the default. That's a good idea. Consider the Freedom Hosting exploits. I can't say that I trust the MAR update protocol as much as checking GPG signatures. But then, most people who even remember to update don't bother checking GPG signatures. So it's a net improvement. The scrupulous can disable automatic updating, and go old school. -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
